The GDPR Privacy Principles – and How They’ll Affect Your Organisation

In the latest of our GDPR blog posts, we look at the six principles that underpin the processing of personal data.

The GDPR Privacy Principles – and How They’ll Affect Your Organisation

The six privacy principles set out the fundamental conditions that organisations must adhere to when processing personal information.

While the principles are easy enough to read, it can sometimes be tricky to know what the implications are for your organisation. And with the highest fines reserved for breaches of individuals’ privacy rights, compliance with these six principles is critical. So let’s take a closer look.

The six privacy principles state that personal data shall be:

  1. Processed in a lawful, fair and transparent way.

There are a number of conditions under which data can be lawfully processed, and at least one of these must be satisfied. Consent is one such condition, and the GDPR introduces stricter rules around gaining consent, meaning that in some cases organisations will have to rely on customers actively opting in to their data being processed. Remember too that if consent is the condition being relied upon, it can also be withdrawn at any time.

However, consent is often misinterpreted as applying to all data processing – in fact the majority of personal data within the HR world will not require consent as the legal basis for processing. For example, the majority of HR personal data that is processed will be necessary for the performance of a contract, which is one of the other processing conditions.

In terms of transparency, it is important that privacy notices are updated so that they are easily accessible and explain in concise, easy-to-read terms how personal data is going to be collected and processed, along with other information relating to data subjects’ rights. Gone are the days of indecipherable consent clauses, legalese and opt-outs.

  1. Collected for specified, explicit and legitimate purposes, and not processed in a way that is incompatible with those purposes.

Once you have collected personal data and explained what you intend to use it for via your privacy notice, this principle states that you can’t then use it for other purposes. If you process an individual’s personal data for the purpose of servicing an HR contract, then it would be a breach of this principle to then send their details to an online shopping service, as it would not be compatible with the original purpose.

  1. Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed

The third principle refers to data minimisation, which is the notion that the personal data you process should only be used to support the purposes for which you are processing it in the first place.  So you need to collect sufficient relevant information, but you should not collect more than you need just in case it comes in handy someday. Again, such additional data would not relate to the specified purpose(s).

  1. Accurate and, where necessary, kept up to date or erased

Organisations must only process personal data that is accurate, and should update or erase any inaccurate data without delay. This ties in with the third principle in that it requires organisations to strip the data they hold down to the bare minimum required – after all, the less personal data you hold, the easier it is to keep it up to date.

  1. Kept in a form that permits identification of individuals for no longer than is necessary for the purposes for which the personal data is processed

This principle states that organisations need to have a retention policy in place and anonymise or delete personal data once it has been used for its intended purpose. In some cases, personal data can be retained for longer periods, but generally in line with the main retention policy. However, this is limited to situations where data is archived in the public interest, for scientific or historical research, or for research purposes.

  1. Processed in a manner that ensures appropriate security of the personal data

The sixth principle states that organisations are responsible for the security of the personal data they process for the duration they are processing it. This includes protecting the data against unauthorised or unlawful access, as well as against accidental loss, destruction or damage, using the most appropriate technical or organisational measures to do so.

In a final condition, considered to be a seventh principle by some, the GDPR then states that organisations shall be responsible for compliance, and must be able to demonstrate compliance with the six principles.

Organisations must understand and adhere to these six points if they are to comply with GDPR and avoid those eye-watering fines. Thankfully these principles aren’t a major diversion from the Data Protection Act 1998 (DPA), but instead build out those concepts more fully to reflect the requirements of data privacy in today’s digital world.


Are your staff up to speed with the coming changes? MHR now offers an exclusive GDPR Staff Awareness e-learning course, complete with final test to demonstrate course completion. For more information, click here.